I am building a mail server on Centos 6.3 and working with OpenSSL to
create a self-signed certificate for mail use.
Along the line of learning the 'best' options to use for OpenSSL and
dealing with the default SSL virtual host for Apache, I discovered that
the localhost cert created (I believe) during firstboot has the X509v3
extensions set as a CA cert (eg basicConstraint CA:TRUE). I was once
very involved in PKIX and legal issues on certificate policy. Having
the localhost cert being a CA cert, thus allowed to sign other certs,
MAY have legal implications in the USofA and EU.
Why was this chosen? Why is not -extensions v3_req used in the
certificate creation?
Oh you can see this for yourself with:
openssl x509 -in /etc/pki/certs/localhost.crt -text -nameopt multiline
-noout|more